S/MIME encryption

In cloud services, is it even more important than before to pay attention to the confidentiality of data (e.g. emails).

The university offers several encryption options. These instructions cover the more flexible option for those processing larger amounts of confidential data. This option should be implemented by the recommendation of e.g. your supervisor or Helpdesk.

If you have no particular reason to use this encryption method, use the lighter option:

All communications need not be encrypted.
Implement encryption individually when handling encrypted materials. More detailed classifications in Flamma.

    Instructions for S/MIME encryption. Steps 1, 2, and 5 need only be carried out once.


    Encrypted email can only be sent and read in this manner on the computer and software (Outlook or Thunderbird) on which the certificate has been installed!

    1. Ordering S/MIME encryption

    Send (empty) email to smime-request@helsinki.fi.s

    In a moment, you will receive an email from the same address with the header Certificate Request. The email will contain a link to securemail.helsinki.fi. Click on the link.

    Please note that the link will work ONLY once for security reasons.

    A browser window is opened for creating a password for the encryption.

    Enter the password (twice for verification) and click Create.

    Remember to save the password for later use as well, as you will need it when, for instance, changing computers.

    Next, you will be instructed to download the certificate on the computer. Make sure to save the file in a location where you can find it easily in a little while, such as the desktop.

    2. Importing the certificate to Outlook

    Instructions for Thunderbird here>>

    Open Outlook.
    Go to File > Options > Trust Center >> Trust Center Settings >> E-mail Security.
    Click Import/Export.

    Find the recently saved .p12 file in Import File and add the password you created. Click OK.

    Next, you will see a notification of importing a new encrypted key. You do not need to change the default settings. Click OK.

    Next, you will see a security warning notifying you that if you install the certificate, you will automatically trust the encryption from securemail.helsinki.fi. Select Yes to continue.

    Click Settings.

    The Change Security Settings window will open. You do not need to change the settings. Click OK.
    This procedure activates the recently imported encryption certificate. Click OK.

    3. Ordering the certificate of the recipient

    You must order a public certificate for each person you wish to send encrypted email.

    Send an email to smime-request@helsinki.fi.s with the header "recipient's email address.s (e.g. firstname.surname@helsinki.fi.s).

    In a moment, you will receive a reply. Click the header with the right mouse button and select Add to Outlook Contacts.

    This procedure activates the certificate for your use.

    4. Sending an encrypted message

    When you have ordered the certificate of the recipient and saved the contact's encrypted email address to your contacts (see the previous step), you can send an encrypted message to the person. One person can have two email addresses; an encrypted and unencrypted one.

    In Outlook, click on the Options tab (1) and click on the Encrypt and Sign options (2).
    In Thunderbird, select Security > Encrypt This Message and Digitally Sign this Message.
    Remember to check that the address ends with .s (3). The address can now be found in the address book, so make sure to check that you select the encrypted email address.

    Outlook view:

    The same view in Thunderbird:

    When you click Send, Outlook will ask for the permission to use the key. Select Grant permission and click OK.

    5. Storing the certificate

    The certificate is like a form of ID. Make sure to keep it safe.

    The certificate should be carefully stored. However, do not store it on your work computer in an unencrypted place, but on an ENCRYPTED flash drive (instructions for encrypted flash drive). Another sufficiently safe alternative is a password-protected .zip file (instructions for password-protected .zip-file) on a university network drive only you can access. In these cases, remember to also use sufficient password protection.

    If the certificate is lost, it has to be abandoned, and the information security must generate a new certificate for the user. This makes email encrypted with the old certificate permanently unreadable. If you have problems with the certificate, please contact Helpdesk.

    6. Troubleshooting

    If you have not saved the contact yet and wish to send them encrypted email, you will receive the following notification. To fix this, repeat step: Ordering the certificate of the recipient.

    Trying to open mail in OWA or on a mobile device
    Encrypted email cannot be opened on other computers or with other browsers. An encrypted email will only open with the email software (Outlook or Thunderbird) for which the certificate has been installed.

    The email will not open and the following notification opens:

    If you try to open the email with a double click, you will receive the following message:
    Sorry, we're having trouble opening this item. This could be temporary, but if you see it again you might want to restart Outlook. Your Digital ID name cannot be found by the underlying security system.

    The sender has sent an encrypted email (by accident) to your unencrypted address (without the .s at the end). Ask the sender to send it to your correct address.

    Importing the certificate to Thunderbird

    • Open Thunderbird. Open Tools > Options > Advanced > Certificates.
    • Click View Certificates.

    • On the Your Certificates tab, click Import... Find the .p12 certificate file you received in the previous step and click Open.

    • Next, you will be asked to enter the certificate password created in step 1.

    • the certificate Hyliopisto appears on the list.

    • Next, go to the Authorities tab. Find the University of Helsinki certificate. Under the certificate, you will find two securemail.helsinki.fi certificates, which must both be edited as follows:
      • Select the certificate and click Edit trust...

    A new window opens. Select This certificate can identify mail users. Click OK. Repeat this step for both securemail.helsinki.fi certificates and click OK.

    Next, open Options > Account settings. Go to the Security tab in helsinki.fi. In Select... click Digital Signing.

    • Select Certificate will open with the recently created Imported Certificate. In the preview window below, you can see the address for which the certificate was created to ensure it is the correct certificate. If there are previously installed certificates on the computer, you may have to select the certificate from the list at the top of the screen. Click OK.
    • Repeat the procedure in Encryption.

    Microsoft instructions

    Give feedback

    The instructions site of the University of Helsinki's IT Helpdesk helps you with IT-related issues related to your work. Let us know how we can improve our instructions. We greatly appreciate your feedback!

    How would you improve these instructions?
    Back to top